BoomBox

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
BoomBox, tracked by Microsoft as a malicious downloader, represents a significant threat in the landscape of malware. This harmful program infiltrates systems and exploits them for various nefarious purposes. It operates by first downloading an encrypted file from a Dropbox account controlled by the actor. After successfully downloading the file, BoomBox discards the first 10 bytes from the header and 7 bytes from the footer, then decrypts the rest of the file using a hardcoded encryption key and IV value. The decrypted file is subsequently written to the file system at %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll. The operation of BoomBox is characterized by its use of trusted channels and a unique infection chain, including tools such as EnvyScout, NativeZone, and VaporRage. As part of its reconnaissance steps, if the system it has infiltrated is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users. Following this, BoomBox downloads a second encrypted file from Dropbox, again discarding certain bytes before decryption. Once the data is collected, BoomBox masquerades the information as a PDF file, appending and prepending the magic markers for PDF to the AES-encrypted host information string. The malware then uploads this data to a dedicated-per-victim-system folder in Dropbox, even proceeding if the upload operation is unsuccessful. To verify the success of the upload, BoomBox uses regular expression values to check the HTTP response from Dropbox. This intricate process underscores the complexity and sophistication of the BoomBox malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Payload
Downloader
Windows
Encryption
Reconnaissance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NativeZoneUnspecified
1
NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, and
VaporRageUnspecified
1
VaporRage, identified and tracked by Microsoft, is a sophisticated malware variant that operates as a shellcode downloader. This malicious software, embedded within the CertPKIProvider.dll file, is part of a unique infection chain used by the cyber threat group NOBELIUM, which also includes other to
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NOBELIUMUnspecified
1
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the BoomBox Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Breaking down NOBELIUM’s latest early-stage toolset - Microsoft Security Blog